How to arrange with websites not allowing some special characters/symbols in password

urtoorso's Avatar

urtoorso

01 May, 2020 02:45 PM

Since some websites do not allow all special characters, e.g. no @ sign, I currently have to reduce the password length, since I use the maximum profile to allow a generated password anyway. This not only reduces the password strength, but also makes it difficult to remember which profile I used for generation.

How can I handle this?

  1. Support Staff 1 Posted by Maarten Billemo... on 01 May, 2020 03:06 PM

    Maarten Billemont's Avatar

    Hi! Thanks for reporting this.

    We are actively looking for websites that do not support the default password template (Long Password). If you can share which website is giving you issues (and any in the future), we'd like to add them to our research.

    The goal is to update the app with a password type that is more universally supported and maintains maximum levels of entropy.

  2. 2 Posted by urtoorso on 01 May, 2020 04:06 PM

    urtoorso's Avatar

    The german Telekom allows those but only max. 16 characters:
    !#$%&()*+,-./<=>[email protected][]_{|}~

    They don't allow colons.

    DKB.de: !$%&/()=?+#,.:-äüöÄÜÖß

    Here no @ or semicolon.

    A bit annoying that companies restrict characters 

  3. 3 Posted by urtoorso on 03 May, 2020 01:54 PM

    urtoorso's Avatar

    But the question is still how can I handle this? Does it mean there is no other solution then selecting a profile with lower length?

  4. 4 Posted by user on 30 May, 2021 02:35 AM

    user's Avatar

    Hi Maarten,

    I wonder if a new text box could be added in the "Show site settings" section: Upon encountering a character that the site does not support, we could enter it into this text box and during password creation, the program could generate a password precluding the unsupported characters? Just a thought.

    During my tests and experiments, I've encountered the following limitations of these sites:
    ssa.gov: Only supports [email protected]#$%^&*
    paypal.com: Only supports [email protected]$%^&*()
    bankofamerica.com: Only supports @#*()+={}/?~;,-_
    americanexpress.com: Only supports %&?#=-
    equifax.com: Only supports [email protected]$*+-
    usps.com: Only supports -().&?'#/"+!

    Essentially I've used the "Maximum" Password Type and then incremented the Counter repeatedly until a password is generated that only has symbols that each respective site can support. So for example, referencing the above, for equifax.com, if a password yields a ^ or a # or a %, I have to re-roll another password until only the supported characters are yielded.

    Conversely, instead of a text box of unsupported characters as described above, the text box could be populated with only the valid characters, essentially accomplishing the same --probably easier to implement this method instead, since it clearly defines the valid set of special characters.

    Separately, there are some sites that require two digits. For example, vanguard.com, requires two digits (which using the "Long" Password Type only generates one digit). Perhaps another feature could be an arrow up/down that sets the number of digits to be yielded in the generated password?

    Many thanks for your superb work on this Master Password, Maarten! Keep up the excellent work!

  5. 5 Posted by urtoorso on 30 May, 2021 11:43 AM

    urtoorso's Avatar

    The main problem is not only to generate accepted passwords. The important thing for me is also that you can regenerate them at any time. However, if you increase the generation complexity, it becomes difficult to recover all the factors to generate the original password again. For example, if settings are lost or you are abroad.

    Therefore, I have switched to generating only alphanumeric passwords with a fixed special character. This works on almost all pages. And the password is also sufficiently secure due to its length. Can be tested here:
    https://howsecureismypassword.net

  6. Support Staff 6 Posted by Maarten Billemo... on 30 May, 2021 01:04 PM

    Maarten Billemont's Avatar

    Yes, I have been collecting data on password policies of a variety of websites in order to construct a more universally acceptable password template. This would most likely involve pure ascii alphanumeric characters with a single fixed "special" character, chosen deliberately to be maximally compatible across policies.

    @user To that end, your list of sites is very helpful. Would you mind adding them to this post so I have everything I need to add them to my data points? https://chat.spectre.app/d/34-contribute-website-password-policies

  7. 7 Posted by user on 03 Jun, 2021 12:31 AM

    user's Avatar

    Hi Maarten,

    Will do! Glad to assist. You're doing great work and we all appreciate it!

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac